chevron-down Created with Sketch Beta.
November 20, 2019 Tech Tip

Cybersecurity and Data Privacy Professional Credentialing: Which One Is for You?

By Lauren D. Godfrey

As the number of cybersecurity incidents continues to rise, the demand for cybersecurity and data privacy professionals remains in high demand. The FBI reports that cyberattacks are becoming more commonplace, dangerous, and sophisticated. Symantec reports that the number of organizations targeted by ransomware attacks has multiplied in the past year. Dick O’Brien, Jon DiMaggio, and H.G. Nguyen, Targeted Ransomware: An ISTR Special Report, Symantec, July 2019, Given the increase, it is not surprising that the hottest field today is cybersecurity. In fact, one IT recruiting company recently reported over 220,000 open cybersecurity jobs posted in the United States. Bill Bonifacic, BlueStone Recruiting, Cyber Security Division, (last visited October 8, 2019).

Prior to an incident, each organization that stores data electronically must ensure that any sensitive information it has is secure, its employees are trained, its policies and information technology (IT) systems are up to date, it has appropriate insurance coverage, and, importantly, the organization has an incident response plan in place. Organizations also need people with specialized training who can counsel, guide, and navigate the legal and regulatory framework. Once an attack happens, the costs may be high. As reported by the Ponemon Institute and IBM in their 2019 Cost of a Data Breach Report (, the average cost of a data breach is $3.92 million. Forming an incident response team reduces the cost of a data breach by almost $360,000.

So, how does one obtain the credentials to become a cybersecurity and data privacy professional? Many attorneys choose to advance their careers and distinguish themselves from their peers by obtaining the Certified Information Privacy Professional (CIPP) credential from the International Association for Privacy Professionals (IAPP). The CIPP credential focuses on laws, regulations, and legal frameworks providing individuals with valued insight into compliance and risk mitigation practices. The IAPP offers four CIPP concentrations focused on the laws of the United States private sector (CIPP/US), Europe (CIPP/E), Asia (CIPP/A), and Canada (CIPP/C). Most popular are the CIPP/US and the CIPP/E. The CIPP/E credential is in demand because it focuses on laws and regulations in European countries and the recently enacted General Data Protection Regulation. The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential for those who have a background in IT, security, or engineering. The CIPT credential shows that IT professionals can factor privacy knowledge into their products and services. Finally, the Certified Information Privacy Manager (CIPM) designation indicates that the professional can establish, maintain, and manage a privacy program.

Other certifications are offered through the nonprofit organization International Information System Security Certification Consortium, referred to as (ISC)2, including the Certified Information Security Systems Professional (CISSP) credential demonstrating that an individual has the expertise to design, develop, and manage the overall security posture of an organization. The HealthCare Information Security and Privacy Practitioner (HCISPP) certification shows that a privacy professional has expertise in implementing, managing, or assessing security and privacy controls in the health care industry. (ISC)2 offers other certifications more specific to software, system security architecture, engineering, and management.

Another organization offering credentialing for the cybersecurity and data privacy professional is the Information Systems Audit and Control Association (ISACA). ISACA is a nonprofit, global membership association for IT and information systems professionals. Holding an ISACA certification provides professional recognition and credibility and can increase the holder’s earning potential. ISACA offers the Certified Information Systems Auditor (CISA) for those who audit, control, monitor, and assess an organization’s information technology and business systems. The Certified in Risk and Information Systems Control (CRISC) credential provides certification to IT professionals to further their careers by linking IT risk management to enterprise risk management. The Certified Information Security Manager (CISM) credential is for individuals who design, build, and manage enterprise information security programs. The Certified in the Governance of Enterprise IT (CGEIT) credential allows individuals to profess the credibility to discuss issues about governance and strategic alignment. Finally, the CSX Cybersecurity Practitioner (CSX-P) credential demonstrates that an individual has knowledge about the most current cybersecurity standards.

The certification you choose will likely depend on your background, interests, and goals. Given the rise in data security incidents worldwide, whatever credential you do choose will be a valuable investment of your time and money.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By Lauren D. Godfrey

Lauren D. Godfrey is a partner in the Pittsburgh, Pennsylvania, office of Lewis Brisbois Bisgaard & Smith LLP. She is a member of the firm’s Cybersecurity & Data Privacy Practice Group. She is a vice-chair of TIPS’s Cybersecurity & Data Privacy Committee and may be reached at [email protected].